This story is over 5 years old.

What We Know About the Exploits Dumped in NSA-Linked Hack

Researchers have quickly ascertained a lot about the exploits and hacking tools in the 'Shadow Brokers' dump.
August 17, 2016, 12:05pm

Earlier this week, researchers started poring over a mysterious cache of computer exploits and other tools that a hacker or group of hackers going by the name The Shadow Brokers had dumped online. There is now little doubt those tools belonged to an NSA-linked group.

On Tuesday, cybersecurity company Kaspersky published its analysis of the data, and drew strong links between the dump and the Equation Group, an organisation of hackers widely believed to be part of the NSA. The Washington Post, quoting two former-NSA hackers, also wrote that the data belonged to the spy agency.


But what exploits and tools were actually stolen? What products did they target? And did they work?

For many of the exploits, it's easy to tell what product they were designed to target

The files appear to be from 2013, with the latest timestamped from October that year, according to Claudi Guarnieri, a researcher who has studied government malware samples for years.

Most of the tools, many of which are coded in Python, are for targeting firewalls—systems that regulate what sort of traffic can travel in or out of a network. Corporations and governments use these systems for keeping out attackers, but with an exploit, a hacker might be able to circumvent or otherwise break through that firewall and gain access to the network.

A summary written by security researcher Mustafa Al-Bassam suggests some of the exploits allow remote code execution, meaning an attacker could run their own commands on the targeted system, while others grant privilege escalation, so a hacker could potentially get administrative powers on the machine. This means someone who has these exploits could potentially break into a firewall, use one of the tools to install their own software on the target network, and then spy on its users.

ESCALATEPLOWMAN is actually a privilege escalation exploit against WatchGuard firewalls. The hint is in the path.
— Mustafa Al-Bassam (@musalbas) August 16, 2016


Other tools in the dump act as implants, allowing an attacker to keep a foothold on the network so they might be able to come back later and launch further attacks. Additional bits of code include a script for encrypting and sending your own file to a target system—perhaps useful for sending malware.

These tools and exploits are geared toward specific vendors and product models. According to Al-Bassam's overview, they target products made by Cisco, Fortigate, TOPSEC, Watchguard, Juniper, and a number of currently unknown vendors. In all, he lists 39 different exploits, tools, implants or modules.

For many of the exploits, it's easy to tell what product they were designed to target. For example, the EXTRABACON exploit cycles through different versions of Cisco's Adaptive Security Appliance until it identifies the version being attacked. The security researcher known as XORcat tested the EXTRABACON exploit, and confirmed that, once successful, an attacker is able to connect to a firewall without needing to enter a valid password or username. Nicholas Weaver, senior researcher at the International Computer Science Institute, tweeted that EXTRABACON was a zero-day exploit, at least in 2013. A zero-day exploit is one that uses a vulnerability which is unknown to the affected vendor.

Extrabacon seems to target Cisco Adaptive Security Appliances from 8.0 to 8.4 #ShadowBrokers #EquationGroup
— Matt Suiche (@msuiche) August 15, 2016


When asked about this attack, a Cisco spokesperson told Motherboard in an email that, "Cisco is in the process of investigating all aspects of the exploit. We are following our well-established process to investigate and disclose vulnerabilities. If something new is found that our customers need to be aware of and respond to, we will share it through our established disclosure processes."

Other exploits have been confirmed as legitimate and working too. Security researcher Kevin Beaumont reported on Twitter that an exploit for Fortinet firewalls worked, and Fortinet said in a statement that it was investigating.

The Fortinet exploit in #EquationGroup works. Really simple thing they exploited. Needs web mgmt access.
— Kevin Beaumont (@GossiTheDog) August 16, 2016

This isn't the first time that specific NSA tools have leaked outside of the agency. In December 2013, Der Spiegel published an article discussing a catalogue of different NSA hacking capabilities. (Researchers would go on to reverse engineer many of these items, and some of the tools in this latest dump were previously mentioned in the catalogue).

But this time, The Shadow Brokers have dumped the exploits so anyone can download them.